Download Some topics in application level security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Oracle Database wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Microsoft Access wikipedia , lookup

Concurrency control wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Functional Database Model wikipedia , lookup

IMDb wikipedia , lookup

Database wikipedia , lookup

Relational model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Healthcare Cost and Utilization Project wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Database model wikipedia , lookup

Transcript
Some topics in application level
security
Databases
Sendmail
DRM
More on databases
• We’ve already seen the basics of SQL
injections attacks
• But there are other ways to “attack” databases
(in SQL or other versions)
• A few additional issues:
– Updates and two phase commits
– Access control
– Information privacy
Updating databases
• Large scale distributed databases come with
issues relating to multiple updates
– Two people can access/modify a record at the same
time
– Get many of the same issues that arise with parallel
processors and shared resources.
• Even if multiple alterations don’t conflict, still
have to deal with network or computer failure
mid-commit
– Goal: avoid leaving the database in an inconsistent
state
Two phase commit
• The solution in most databases is a particular
update protocol:
• 1. Request phase: all parts of the database that
need to change are flagged
– Result is either complete success or it aborts
– If it aborts, all changes are reset
• 2. Commit phase: changes are performed on the
database
– If successful, all flags are released.
– If it aborts, it again rolls back all changes to before
phase 1.
Access control in databases
• Access control sometimes comes from the OS
level, but additional controls are built into
many database systems
• Example:
– Separate ACL system
– Often separate web-based side from back-end, to
minimize vulnerabilities
– First principles used: least privilege and separation
of privilege
Access control in SQL
• Discretionary based: owner/creator can grant
privileges to others
• Example command:
GRANT SELECT on (table) TO (user)
– Also have a PUBLIC keyword
• Also can create a virtual subset of the data,
called a view, so that user can get full access
to only a subset of the data
– Think personnel records
Privilege delegation
• Can also give other users permission to
delegate, with the command WITH GRANT
OPTION
• This can later be revoked, which means the
application needs to track who has been
granted access and when
– If Alice is granted access and gives it to Bob, but
later loses her access, need to revoke Bob’s access
also
Sensitive data
• Databases can be encrypted, or (more
commonly) certain entries can be encrypted
– Obvious example: passwords
• Can also store entire encrypted files but give
decryption key only to users, so that the
information cannot be compromised
• However, more complex questions arise when
we want aggregated data available, but not
individual data
Privacy protection
• If databases containing private information are
released, certain fields can be sanitized
– SSNs, names, addresses, etc.
• However, inference attacks are still possible
– Goal is to use database information as well as public
information to learn more about underlying data
– Example: employee records
– Medical records, GIS data, and communication
records are becoming particularly important here
Two examples
• Netflix and IMDB both released databases of user
habits
– Netflix left off all user info, but in IMDB that
information can be left on (at user’s discretion)
– Researchers at UT Austin managed to determine a
Netflix user based on the IMDB data
• Medical encounter database:
– Anonymized insurance database kept birthday, sex
and zip code
– Researcher from CMU linked this with voter
registration records and found the medical record of
the governor of Massachusetts
Protecting against inference attacks
• Standard techniques:
– Cell suppression: some cells are removed in the
published version, to make inference attacks
harder
– Generalization: Instead of specific values, ranges
are included in the released database
• Example: Age range rather than specific age
– Noise addition: Every value in the database has a
small(ish) random number added to it
• Goal: Average doesn’t change, but each individual entry
does
Downside of obfuscation
• For each of these, the data becomes less
specific, so there is a trade-off.
– In the extreme, data is so blurred that it is useless.
• No widely accepted standard, and this is a hot
area of research
• Many are focused on what formal
requirements we should have, as well as more
and more sophisticated attacks.
K-anonymization
• Database is secure if any possible SELECT
query will return at least k records, where k is
some threshold
• Often accomplished by adding fake data to the
database
– But as little fake data as possible
• One of the earliest notions of how privacy is
“good enough” in a database
– Heavily criticized but still used
Differential privacy
• For any record R in the database and sensitive
property P, the probability p that R is in the
database and the probability p’ that R is not in
the database differ by at most some ε
– Essentially, given two very similar databases, the
probability that a query will look the same from
each is very high
• Considerably more sophisticated, but also
harder to work with
Email protocols
• Various protocols are involved in email
• SMTP: simple mail transfer protocol
– Responsible for delivering message from client to
recipient’s mail server
– Text based, application layer protocol that uses TCP
• POP and IMAP
– Both responsible for delivering mail from server to
recipient
– POP is older, and designed for dial-up
– IMAP better since it can coordinate both on and off-line, so
it maintains a persistent connection when possible
– IMAP also allows for client-side search of server records
Email security
• None of these protocols have any security built in
– So vulnerable to sniffing, etc.
• Encryption is almost always incorporated
– Usually at the transport layer and not just encryption
of the messages
– Most use SSL/TLS for TCP traffic
• However, must then trust the server
– So ISP employee can probably read everything on that
ISP’s mail server
– Additional implications for government access, etc.
PGP – end to end encryption
• One system to address this is PGP encryption
• Public key system to encrypt and/or digitally
sign emails end to end
• Relies on notion of web of trust to avoid manin-the-middle attacks
– Public keys can be digitally signed by other trusted
users (called introducers)
– After using the system for a while, the user will
have a collection of trusted keys and can then
introduce others
MIME
• An extension of the original email protocol
(SMTP) that allows exchange of more kinds of
files
– E.g. audio, images, applications
• MIME header goes at the beginning of any
message, and clients use that to render or
display appropriately
s/MIME – message authentication
• Method to sign a
message in order to
authenticate the sender
• Again relies upon public
key cryptography
– Key either transmitted
securely or attested by
an authority that is
trusted
• Email is structured
according to MIME
standard, and then
signature given at end
Domain Keys Identified Mail (DKM)
• Method to authenticate a mail agent
– A signing entity (usually server of the sender) adds
a signature
• DNS based for distribution of public keys of
the signing entities
– And hence
vulnerable to
DNS attacks
DKIM pros and cons
• It is ridiculously easy to alter the FROM field on
an email, and DKIM has been useful for stopping
this
– Example: Gmail now rejects any messages from eBay
or PayPal that don’t have a valid DKIM signature to
verify their origin
• But not foolproof: can still have spammer make
an ad at a reputable domain so that they get a
signed copy of the message
• Also not MIME-aware, which allows some
potential for rewriting and breaking signatures
Digital rights management
• DRM aims to protect copyrighted content
– It is a general practice, and not a technical
protocol
– Implemented in many ways
– Controversial!
Simple DRM
• Can simply encrypt digital media, and then
build the decryption key into authorized
players
– Generally, the file can only be played on the
device that downloaded it, since player is the only
one that can decrypt the decryption key
– Minimizes vulnerability, since if that system is
compromised, only gain access to the files that
player has downloaded
CD DRM: history
• In 2002, DRM on audio CDs became standard.
• In 2005, Sony included DRM by default
– Inserting a CD in Windows XP default configuration
led to automatic installation
– So DRM software installed itself silently, and “hid”
itself (like a rootkit)
– Later, researchers found that this code had a
vulnerability, so that users were compromised without
their knowledge
– Led to lawsuits and eventual patching and halting of
the technology
DVD DRM
• DVDs use the Content Scrambling System (CSS),
where licensed DVD players contained decryption
key (and all communication was encrypted)
– Based on secrecy of the protocol, and so of course
was broken
– Still the default, however
• Blueray uses AACS, which is similar but is publicly
available
– Also uses stronger encryption and keys
Other DRM types
• DRM also exists on iTunes content
– Called FairPlay, and encrypts track so that only
purchaser can play the content
– Although music is currently DRM free
• Netflix and Hulu use DRM to keep content
restricted to up-to-date account holders
• Ebooks incorporate similar versions of this
technology